Sunday, October 26, 2008

Microsoft releases out-of-band emergency security patch

What it is?

Microsoft has released an emergency security patch to ALL VERSIONS of it's operating systems from Windows 2000 to Vista and Server 2008. This vulnerability is on par with the SLAMMER worm that took over and exploited machines worldwide a couple years ago, and there is already a self-replicating worm in the wild that exploits the vulnerability. The worms Gimmiv.A and Syp-Agent.da exploit the worm and infect machines throughout a network, without requiring any interaction from a user.

Gimmiv.A in particular rifles through a machines private information and posts passwords on the Internet at a remote server for later exploitation. It then looks for other machines with vulnerability on the network and infects them. In particular laptops are at risk because they are both behind a hardware firewall and in front of it on public networks. The older your machine is, the more at risk you are. Recent OS releases such as Microsoft Vista automatically firewall themselves on public networks. Older systems do not, so users of XP, or Windows 2000 - especially if they're not behind a firewall should be especially careful.

A hardware firewall (and most software firewalls) will stop the threat by blocking access to the ports that they system needs. This exploit does not travel over the web or through websites, though the payload may well be added to website exploits at some later date. The exploit DOES travel over the Internet.

What should you do?

Our first and foremost recommendation is one we've made for years - get thee behind a hardware firewall. Exposing your machine on the Internet is a primary reason that systems get infected. If you have a laptop, be sure it's adequately firewalled and you understand how to run that firewall (or get a professional to configure it for you) since you are most at risk. Hardware firewalls are inexpensive and efficient. For a good home firewall we recommend the BEFSR41, a basic firewall from Linksys, though there are plenty of other options in that market.

Once you are sure your machine is safe, you should run Windows Update to get the update if you are on XP, Windows 2003 Server, Windows 2008 Server or Windows Vista (any version). If you are still on Windows 2000 - get a new machine for Pete's Sake (Just kidding), there is a Windows 2000 download available here.

To Run Windows update on Windows XP or 2003 Server go to http://update.microsoft.com and follow the prompts. On Windows Vista and 2008 server choose your start button/All programs/Windows update.

It is imperative that you update SOONER RATHER THAN LATER!

If you are experiencing severe network slowdowns on your systems, it is a possibility that you have the virus already trying to hammer machines in your network. Remember that unlike slammer however, this exploit simply pillages your machine for information, infects other machines, then hides itself. You may not notice until your virus software or OS starts to complain that it can't run. It's not a bad idea - after updating all machines - to update your virus signatures and scan all machines in your network - especially if you have externally exposed machines such as laptops.

Further sources:

Microsoft urgent security bulletin: http://www.microsoft.com/protect/computer/updates/bulletins/200810_oob.mspx

Microsoft technical details on the bulletin:
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx


The Register article on the trojans: http://www.theregister.co.uk/2008/10/24/trojan_exploits_wormable_microsoft_flaw/

Microsoft security download for Windows 2000 (no Windows update):
http://www.microsoft.com/downloads/details.aspx?familyid=E22EB3AE-1295-4FE2-9775-6F43C5C2AED3&displaylang=en

McAfee blog about the new trojan:
http://www.avertlabs.com/research/blog/index.php/2008/10/24/first-glimpse-into-ms08-067-exploits-in-the-wild/

Symantec on the vulnerability:
http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-102320-3122-99

Cheers,

Lee Drake
www.os-cubed.com
OS-Cubed, Inc.
274 North Goodman St.
Suite A401
Rochester, NY 14607
Main: 585-756-2444
Fax: 585-756-2443